Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Linux.MulDrop.142

Added to the Dr.Web virus database: 2024-06-20

Virus description added:

  • ssh1:e19a33ad9aac046cffc806cd80280854588b879a

Description

A trojan dropper for Linux written in C and packed using UPX. It is used to deliver a variety of malware to a compromised system, including the Linux.Rootkit.400 (LKM) rootkit, the Linux.BtcMine.815 miner, and the Linux.BackDoor.Pam.8/9 and Linux.BackDoor.SSH.425/426 backdoors. It is quite large, as it contains rootkits for different distributions and kernel versions (about 60 modifications).

MITRE matrix

Stage Tactic
Execution (TA0002) Unix Shell (T1059.004)
Persistence (TA0003) Kernel Modules and Extensions (T1547.006)
Privilege Escalation (TA0004) Kernel Modules and Extensions (T1547.006)
Defense Evasion (TA0005) Software Packing (T1027.002)
File and Directory Permissions Modification (T1222.002)
File deletion (T1070.004)
Rootkit (T1014)
Disable or Modify Tools (T1562.001)
Match Legitimate Name or Location (T1036.005)
Timestomp (T1070.006)

Operating routine

  1. The dropper accesses the following files and, using the chattr system utility, removes a number of attributes:
    Files Attributes 
    
/usr/bin
/usr/bin/ssh
/usr/bin/scp
/lib/udev
/etc /etc/pam.d
/etc/pam.d/common-account
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
    		a – only allows information to be added to the file
    i - prohibits the file from being renamed or deleted
    e - indicates the use of extents* by the file

    *This is an attacker's mistake since this attribute cannot be removed with chattr.

  2. Using the uname command, the dropper determines the Linux kernel version. Based on this information, it selects compatible rootkits and places them in the following paths:
    /lib/udev/collectd/kmeminfo.ko — a malicious kernel module that installs a network filter to bypass the firewall.
    /lib/udev/collectd/mcpuinfo.koLinux.Rootkit.400, a rootkit that hides the activity of the CPU, kernel modules, processes, and network ports.
  3. Checks the hashes of sshd and scp executables. If they don't match the values stored in the dropper, the specified files are replaced with malicious versions.:
    /usr/bin/sshLinux.BackDoor.SSH.425 collects SSH credentials and stores them in the olog.h file
    /usr/bin/scp — sends the olog.h file to the attackers
  4. If no compatible rootkit is found as part of the dropper, the server logs are cleared and the server is rebooted. If the rootkit is successfully installed, the /etc/reviews directory is created. It contains the following files, which are patched versions of system diagnostic utilities that have been modified to work with the mcpuinfo.ko rootkit:
    Legitimate tool Patched version
    conntrack /etc/reviews/cn
    ifconfig /etc/reviews/ig
    ip /etc/reviews/ip
    iftop /etc/reviews/it
    netstat /etc/reviews/nt
    route /etc/reviews/rt
    unhide-tcp /etc/reviews/up
    unhide-linux /etc/reviews/uu
    unhide-posix /etc/reviews/ux
    tcpdump /etc/mountinfo
    busybox /etc/dhclientd
    telnet /etc/dhclientdx
    ping /etc/dhclientdd
    1. 4.1 Additionally, the following files are created:
      /usr/bin/biosdecoded — contains malicious versions of pam_echo.so and pam_sftp.so, and ensures that they are loaded on a system call
      /usr/bin/devlinkedLinux.MulDrop.151, is a dropper for the Linux.BtcMine.815 miner (xmrig)
      /usr/bin/matchpathcondLinux.BackDoor.SSH.426 (SSH backdoor)
      /usr/bin/postcatedLinux.Stealer.8, like scp, performs the function of sending the olog.h file to intruders
      /usr/bin/postmapedLinux.Siggen.7907 removes artifacts created during infection
      /usr/bin/telinitedLinux.BackDoor.RCTL.2, a remote access and control trojan (https://github.com/ycsunjane/rctl/blob/github/client/rctl.c)
  5. Before loading rootkits, the modprobe utility loads the inet_diag, tcp_diag, and udp_diag modules and unloads the sysdig_probe_probe. If these commands are successful, it redirects the output of echo 8 to the file /tmp/8.txt. It then runs the insmod command to load mcpuinfo.ko and kmeminfo.ko. If the modules were not loaded successfully, the logs are cleared and the server is restarted.
  6. The following binaries are launched: 
    
/usr/bin/biosdecoded
/usr/bin/devlinked
/usr/bin/matchpathcond
/usr/bin/postcated
/usr/bin/postmaped
/usr/bin/telinited

    In addition, before launching each of the above files, the rootkit interacts with /proc/sys/kernel/ns_last_pid and /proc/sys/kernel/pid_max, where information about the ID of the last malicious file launched is recorded. In addition, numbered files such as 1.txt, 2.txt, and so on are stored in the /tmp directory, the appearance of which is determined by the successful execution of a particular stage of the attack.

  7. It performs a log cleanup and deletes temporary files.

Recommandations pour le traitement

Linux

Veuillez lancer le scan complet de toutes les partitions du disque à l'aide de Dr.Web Antivirus pour Linux.

Version démo gratuite

Pour 1 mois (sans enregistrement) ou 3 mois (avec enregistrement et remise pour le renouvellement)

Télécharger Dr.Web

Par le numéro de série